MAJOR PROBLEMS: smitfraud, trojans, spyware, etc.

Topic:MAJOR PROBLEMS: smitfraud, trojans, spyware, etc.

Remainpoint:0

EzBeEzY

PostTime:12/16/2008 11:18:28 AM

Top

Level:

Professional point:

Experience:

Thread:

263

Post:

954

Total online time:

Joined date:

4/29/2007 2:46:00 AM

Last Visit:

12/16/2008 11:21:46 PM

Status:

	Try our remote PC help service to fix your PC instantly(Only cost $19.95)
	Register to make Ads free

I'm having some real serious spyware and trojan problems. I have Spybot Search & Destroy, which says I have smitfraud, which I've tried to remove a few times, reboot the system and it's still there... I keep getting popups and Spyware Doctor keeps telling me things are trying to access the internet. I don't know what to do anymore.

Here are my logs for HJT and SUPERAntiSpyware

Logfile of HijackThis v1.98.0
Scan saved at 6:45:11 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\avp.exe
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\smanager.7.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Matt\Desktop\PC Utilities\HijackThis.exe

O2 - BHO: (no name) - {08003689-D93C-49F9-9445-BDDB5BB1905b} - C:\WINDOWS\system32\ftxpuvxp.dll
O2 - BHO: (no name) - {28FACC8B-23A6-4DAD-BCCD-8B00E99DA7BE} - C:\WINDOWS\SYSTEM32\AWTQR.DLL
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\aegqemwb.dll
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\SYSTEM32\KHFEDEE.DLL
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\rcanlcev.dll",realset
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/16/2007 at 07:23 PM

Application Version : 3.7.1018

Core Rules Database Version : 3239
Trace Rules Database Version: 1250

Scan type : Complete Scan
Total Scan Time : 00:44:10

Memory items scanned : 426
Memory threats detected : 6
Registry items scanned : 5321
Registry threats detected : 80
File items scanned : 33136
File threats detected : 569

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\AWTQR.DLL
C:\WINDOWS\SYSTEM32\AWTQR.DLL
HKLM\Software\Classes\CLSID\{28FACC8B-23A6-4DAD-BCCD-8B00E99DA7BE}
HKCR\CLSID\{28FACC8B-23A6-4DAD-BCCD-8B00E99DA7BE}
HKCR\CLSID\{28FACC8B-23A6-4DAD-BCCD-8B00E99DA7BE}\InprocServer32
HKCR\CLSID\{28FACC8B-23A6-4DAD-BCCD-8B00E99DA7BE}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28FACC8B-23A6-4DAD-BCCD-8B00E99DA7BE}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awtqr

Trojan.Mezzia/Resident
C:\WINDOWS\SYSTEM32\WINMQX32.DLL
C:\WINDOWS\SYSTEM32\WINMQX32.DLL

Unclassified.Unknown Origin
C:\WINDOWS\SYSTEM32\KHFEDEE.DLL
C:\WINDOWS\SYSTEM32\KHFEDEE.DLL
HKLM\Software\Classes\CLSID\{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}
HKCR\CLSID\{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}
HKCR\CLSID\{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}\InprocServer32
HKCR\CLSID\{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{ D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\khfedee
HKCR\CLSID\{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}
C:\DOCUMENTS AND SETTINGS\MATT\DESKTOP\PC UTILITIES\BACKUPS\BACKUP-20070516-164531-483.DLL
C:\DOCUMENTS AND SETTINGS\MATT\DESKTOP\PC UTILITIES\BACKUPS\BACKUP-20070516-164610-499.DLL

Trojan.Downloader-CREW
C:\WINDOWS\SYSTEM32\FTXPUVXP.DLL
C:\WINDOWS\SYSTEM32\FTXPUVXP.DLL
HKLM\Software\Classes\CLSID\{08003689-D93C-49F9-9445-BDDB5BB1905b}
HKCR\CLSID\{08003689-D93C-49F9-9445-BDDB5BB1905B}
HKCR\CLSID\{08003689-D93C-49F9-9445-BDDB5BB1905B}\InprocServer32
HKCR\CLSID\{08003689-D93C-49F9-9445-BDDB5BB1905B}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08003689-D93C-49F9-9445-BDDB5BB1905b}
C:\DOCUMENTS AND SETTINGS\MATT\DESKTOP\PC UTILITIES\BACKUPS\BACKUP-20070516-164525-793.DLL
C:\WINDOWS\SYSTEM32\BVRXGLTO.DLL
C:\WINDOWS\SYSTEM32\GMYUCSHP.DLL
C:\WINDOWS\SYSTEM32\HCWAHEHS.DLL
C:\WINDOWS\SYSTEM32\MCCFTYAE.DLL
C:\WINDOWS\SYSTEM32\MITCRQCB.DLL
C:\WINDOWS\SYSTEM32\OSMCNXSS.DLL
C:\WINDOWS\SYSTEM32\VVLBAMJE.DLL
C:\WINDOWS\SYSTEM32\YMTOORKJ.DLL

Trojan.Downloader-Gen/LIB
C:\WINDOWS\SYSTEM32\UFSQVOXS.DLL
C:\WINDOWS\SYSTEM32\UFSQVOXS.DLL
C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\TEMP\ALHURHYD.DLL
C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\TEMP\CDKACXRF.DLL
C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\TEMP\EISQKXNK.DLL
C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\TEMP\IHAGBUXK.DLL
C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\TEMP\LDBPWJSY.DLL
C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\TEMP\PXCAKDPS.DLL
C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\TEMP\RIOIPDUT.DLL
C:\WINDOWS\SYSTEM32\BXUTTQNO.DLL
C:\WINDOWS\SYSTEM32\DEJGXCSG.DLL
C:\WINDOWS\SYSTEM32\EPNGLCFF.DLL
C:\WINDOWS\SYSTEM32\IFJJBDMY.DLL
C:\WINDOWS\SYSTEM32\ILDGEOED.DLL
C:\WINDOWS\SYSTEM32\JNYVTKOJ.DLL
C:\WINDOWS\SYSTEM32\KELVJDLU.DLL

Trojan.Downloader-SManager
C:\WINDOWS\SMANAGER.7.EXE
C:\WINDOWS\SMANAGER.7.EXE
[SManager] C:\WINDOWS\SMANAGER.7.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{D651AFF4-9590-424d-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}
HKCR\CLSID\{E2EE5C44-C66D-499D-BEAE-A2A79189A63A}
HKCR\CLSID\{E2EE5C44-C66D-499D-BEAE-A2A79189A63A}\InprocServer32
HKCR\CLSID\{E2EE5C44-C66D-499D-BEAE-A2A79189A63A}\InprocServer32#ThreadingModel
C:\DOCUME~1\MATT\LOCALS~1\TEMP\AUMQJXQV.DLL
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}
HKCR\CLSID\{E2EE5C44-C66D-499D-BEAE-A2A79189A63A}

Unclassified.Oreans32
HKLM\System\ControlSet006\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet007\Services\oreans32
HKLM\System\ControlSet008\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#Active Service
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Trojan.Downloader-Win/GHY
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winmqx32


vovk	PostTime:12/16/2008 9:47:25 PM	Point:0 \| # 1
Level: 1 Professional point: 0 Experience: 14 Thread: 314 Post: 924 Total online time: 14M Joined date: 4/24/2007 6:51:00 AM Last Visit: 12/17/2008 12:02:44 AM Status:	I saw in another smitfraud thread to use combofix... here is the log for that... "Matt" - 2007-05-16 20:57:53 Service Pack 2 ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\Matt\Desktop\FIX\" (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\aegqemwb.dll C:\WINDOWS\system32\gwkdbxoh.dll C:\WINDOWS\system32\hvdpabkn.dll C:\WINDOWS\system32\ncchdkrd.dll C:\WINDOWS\system32\xoijtroc.dll C:\WINDOWS\system32\iifebxx.dll C:\WINDOWS\system32\jkkjhhf.dll C:\WINDOWS\system32\hoxbdkwg.ini C:\WINDOWS\system32\nkbapdvh.ini * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1122OinAdmin.exe C:\WINDOWS\system32\components ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 )))))))))))))))))))))))))))))))))) 2007-05-16 20:54 11,776 --a------ C:\WINDOWS\smanager.7.exe 2007-05-16 19:08 1,465,242 ---hs---- C:\WINDOWS\system32\rqtwa.ini2 2007-05-16 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2007-05-16 18:36 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\SUPERAntiSpyware.com 2007-05-16 18:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com 2007-05-16 16:37 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-05-16 16:37 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-05-16 16:37 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-05-16 16:37 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-05-16 16:37 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-05-16 16:37 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-05-16 16:37 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-05-16 16:37 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\PC Tools 2007-05-16 16:32 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-05-16 16:32 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-05-16 16:32 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-05-16 16:31 17,408 --a------ C:\WINDOWS\system32\avp.exe 2007-05-14 20:55 <DIR> d-------- C:\Program Files\My Company Name 2007-05-11 14:52 84,418 --a------ C:\LSPRegBackup_11052007_145159.REG 2007-05-09 23:51 974,848 --a------ C:\WINDOWS\system32\mfc70.dll 2007-05-09 23:51 638,976 --a------ C:\WINDOWS\system32\divx.dll 2007-05-09 23:51 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-05-09 23:51 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll 2007-05-09 23:51 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll 2007-05-09 23:51 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2007-05-09 23:51 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll 2007-05-09 23:51 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-05-09 23:51 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-05-09 23:51 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll 2007-05-09 23:51 <DIR> d-------- C:\Program Files\Common Files\AVSMedia 2007-05-09 23:51 <DIR> d-------- C:\Program Files\AVSMedia 2007-05-07 18:45 <DIR> d-------- C:\Program Files\Uniblue 2007-05-07 18:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Uniblue 2007-05-05 10:06 <DIR> d-------- C:\WINDOWS\system32\appmgmt 2007-05-04 11:44 1,475,941 ---hs---- C:\WINDOWS\system32\rqtwa.bak2 2007-05-03 11:44 1,482,223 ---hs---- C:\WINDOWS\system32\rqtwa.bak1 2007-05-02 21:59 77,312 --a------ C:\WINDOWS\ua2.dll 2007-05-01 10:51 21,688 --a------ C:\DOCUME~1\Matt\APPLIC~1\GDIPFONTCACHEV1.DAT 2007-04-27 08:51 <DIR> d-------- C:\Program Files\Bradford Networks (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-16 22:34:06 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-05-14 21:43:01 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\Ruckus Network 2007-05-10 03:48:59 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\Apple Computer 2007-05-06 19:21:51 0 ----a-w C:\WINDOWS\b103.exe 2007-05-05 16:27:17 0 ----a-w C:\WINDOWS\b104.exe 2007-05-05 14:00:11 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-04 12:46:56 -------- d-----w C:\Program Files\Symantec AntiVirus 2007-05-02 23:04:30 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\Prevx 2007-04-28 00:57:41 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\Ventrilo 2007-04-24 19:59:01 -------- d-----w C:\Program Files\Sexy Party 2007-04-24 19:58:56 -------- d-----w C:\Program Files\SP 2007-04-24 19:58:51 -------- d-----w C:\Program Files\RD 2007-04-05 12:56:41 -------- d-----w C:\Program Files\Common Files\Simple Star Shared 2007-04-05 12:56:41 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\Simple Star 2007-04-01 22:29:59 -------- d-----w C:\Program Files\Ruckus Player 2007-04-01 15:21:27 -------- d-----w C:\Program Files\iTunes 2007-04-01 15:21:24 -------- d-----w C:\Program Files\iPod 2007-04-01 15:20:22 -------- d-----w C:\Program Files\QuickTime 2007-04-01 15:18:52 -------- d-----w C:\Program Files\Apple Software Update 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys 2007-02-19 11:01:20 252,356 ----a-w C:\WINDOWS\b128.exe 2007-02-13 01:51:25 0 ----a-w C:\WINDOWS\system32\djgcmtd.dll 2007-02-12 02:35:51 8 ----a-w C:\WINDOWS\ctrdmrd3.sys 2007-02-12 02:30:17 8 ----a-w C:\WINDOWS\spobuffx.sys 2007-02-12 02:22:47 9 ----a-w C:\WINDOWS\winxfigt.sys 2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avp"="C:\WINDOWS\system32\avp.exe" [2007-05-16 16:31] "SManager"="smanager.7.exe" [] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-18 10:56] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Uniblue Registry Booster2"="C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" [2007-04-24 08:23] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 Security Packages kerberos msv1_0 schannel wdigest Notification Packages scecli [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxs ervice] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcore service] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV NetworkService DnsCache rpcss RpcSs imgsvc StiSvc termsvcs TermService HTTPFilter HTTPFilter DcomLaunch DcomLaunch TermService HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs newlycreated -PROCEXP90 ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070516-203910-918 O4 - HKLM\..\Run: [SManager] smanager.7.exe backup-20070516-203905-999 O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe backup-20070516-203850-457 O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe backup-20070516-203850-699 O4 - HKLM\..\Run: [SManager] smanager.7.exe backup-20070516-203831-697 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe backup-20070516-203831-174 O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe backup-20070516-203831-437 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl backup-20070516-203831-290 O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe backup-20070516-203831-151 O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S backup-20070516-203831-489 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup backup-20070516-203831-158 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k backup-20070516-203831-138 O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\rcanlcev.dll",realset backup-20070516-203831-492 O4 - HKLM\..\Run: [SManager] smanager.7.exe backup-20070516-203825-131 O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\SYSTEM32\KHFEDEE.DLL backup-20070516-203819-135 O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\aegqemwb.dll backup-20070516-203813-946 O2 - BHO: (no name) - {28FACC8B-23A6-4DAD-BCCD-8B00E99DA7BE} - C:\WINDOWS\SYSTEM32\AWTQR.DLL backup-20070516-203813-809 O2 - BHO: (no name) - {08003689-D93C-49F9-9445-BDDB5BB1905b} - C:\WINDOWS\system32\ftxpuvxp.dll backup-20070516-164611-967 O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe backup-20070516-164611-619 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" backup-20070516-164610-499 O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\system32\khfedee.dll backup-20070516-164610-185 O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll backup-20070516-164610-121 O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\ojsabxre.dll backup-20070516-164604-192 O2 - BHO: (no name) - {3EC61397-95E8-4202-BAFD-10242B195C0F} - C:\WINDOWS\system32\awtqr.dll backup-20070516-164532-629 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe backup-20070516-164532-803 O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S backup-20070516-164532-157 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl backup-20070516-164532-536 O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" backup-20070516-164532-201 O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe backup-20070516-164532-495 O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjov.dll,startup backup-20070516-164532-908 O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe backup-20070516-164532-604 O4 - HKLM\..\Run: [SManager] smanager.7.exe backup-20070516-164532-361 O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\DOCUME~1\Matt\LOCALS~1\Temp\bprhdarc.dll",realset backup-20070516-164531-387 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime backup-20070516-164531-775 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F 310 backup-20070516-164531-715 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" backup-20070516-164531-483 O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\system32\khfedee.dll backup-20070516-164531-409 O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll backup-20070516-164531-144 O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\xoijtroc.dll backup-20070516-164525-816 O2 - BHO: (no name) - {3EC61397-95E8-4202-BAFD-10242B195C0F} - C:\WINDOWS\system32\awtqr.dll backup-20070516-164525-793 O2 - BHO: (no name) - {08003689-D93C-49F9-9445-BDDB5BB1905b} - C:\WINDOWS\system32\osmcnxss.dll backup-20070516-164525-720 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.etown.edu/ backup-20070505-100541-613 O4 - HKLM\..\Run: [VaCtrls] v7 backup-20070505-100541-342 O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\hvdpabkn.dll",realset backup-20070505-100541-278 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" backup-20070505-100402-949 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe backup-20070505-100402-708 O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe backup-20070505-100402-340 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl backup-20070505-100402-889 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F 310 backup-20070505-100402-817 O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\scjvbicv.dll",realset backup-20070505-100402-896 O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvxof.dll,startup backup-20070505-100402-886 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup backup-20070505-100402-289 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime backup-20070505-100402-854 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" backup-20070505-100402-249 O4 - HKLM\..\Run: [VaCtrls] v7 backup-20070505-100402-783 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.etown.edu/ backup-20070424-160415-864 O4 - HKLM\..\Run: [VaCtrls] v7 backup-20070424-160404-151 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" backup-20070424-160400-212 O4 - HKLM\..\Run: [VaCtrls] v7 backup-20070424-160253-579 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" backup-20070424-160253-275 O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll backup-20070424-160253-854 O4 - HKLM\..\Run: [VaCtrls] v7 backup-20070424-160226-312 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe backup-20070424-160226-759 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k backup-20070424-160226-575 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl backup-20070424-160226-765 O4 - HKLM\..\Run: [VaCtrls] v7 backup-20070424-160226-536 O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll backup-20070424-160226-808 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup backup-20070424-160226-631 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime backup-20070424-160226-994 O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe" backup-20070424-160226-898 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" backup-20070424-160226-756 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local backup-20070424-160226-777 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.etown.edu/ Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job ***************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-16 20:59:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ****************************************************************** Completion time: 2007-05-16 21:01:03 C:\ComboFix-quarantined-files.txt ... 2007-05-16 21:01 --- E O F ---
	Love my life!!

Sorry, you are not login, click here to login